The kube_generate_type field can be used to set what kind
of k8s object, i.e pod or deployment, that the podman kube
generate command should generate by default.
Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Add yet another environment variable for loading containers.conf.
When CONTAINERS_CONF_OVERRIDE is set, the specified config file
will be loaded last - even when CONTAINERS_CONF is set.
This mechanism is needed to preserve system settings and other
environment variables. Setting CONTAINERS_CONF will load only
the specified config file and ignore all system and user paths.
That makes testing hard as many Podman tests use CONTAINERS_CONF
for testing.
The intended use of CONTAINERS_CONF_OVERRIDE is to set it during tests
and point it to a specific configuration of Podman (e.g., netavark with
sqlite backend).
Similar needs have popped up talking to users in the automotive and
high-performance computing space. In a way, such a setting allows for
specifying a specific "flavor" of Podman while preserving all existing
settings on the system.
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
We are getting a lot of issues on our removal of CAP_SYS_CHROOT
from the default list of capabilities used by Podman, so adding
it back until we do a major release.
This capabilty is also needed to successfully run the
quay.io/buildah/stable image with Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allows users to set all containers to automatically
set certain cgroup fields globally for all of their containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The on-going work of adding a new database backend to Podman requires it
to be configurable in containers.conf. To prevent any breaking changes,
the backend defaults to Podman's current boltdb backend. Also export
the parsing function for it be usable by Podman.
NOTE: documentation will be added once the database rewrite in Podman
has been completed. I want to avoid any incomplete docs from leaking
into a release.
Fixes: https://issues.redhat.com/browse/RUN-1772
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add an option to create a more verbose container-create event which
includes a JSON payload with detailed information about the container.
Jira: https://issues.redhat.com/browse/RUN-1702
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Containers.conf now supports `platform_to_oci_runtime` which allows end
users to map variant of OCI runtime for a particular platform.
Most ideal use-case of this feature is switching to crun's variant when
platform string is `wasm32/wasi`.
Example
```toml
[engine.platform_to_oci_runtime]
"wasi/wasm" = "crun-wasm"
"wasm/wasm32" = "crun-wasm"
"wasm/wasm64" = "crun-wasm"
```
Signed-off-by: Aditya R <arajan@redhat.com>
Another experimental OCI runtime for FreeBSD, similar to runj but with
a focus on podman/buildah compatiblity.
Signed-off-by: Doug Rabson <dfr@rabson.org>
Used `go fmt` rules to migrate away from deprecated functions, for
instance `gofmt -w -s -r 'ioutil.TempDir(a, b) -> os.MkdirTemp(a, b)'`
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
this ensures that podman machine will still work (until we want to make this mandatory). I made the call back function more verbose so we know what is happening from now on.
Signed-off-by: Charlie Doern <cdoern@redhat.com>
The problem with setting such defaults in c/common is that podman cannot
know if a user set this or it is the default. EventsLogFilePath is not a
static path, it depends on the --tmpdir value from podman.
check
b0b36430b8/libpod/runtime.go (L1041-L1043)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
initial implementation of the ssh package including:
- nativeConnectionCreate() / golangConnectionCreate()
- n/a / golangConnectionDial()
- nativeConnectionScp() / golangConnectionScp()
- nativeConnectionExec() / golangConnectionExeC()
the way this works, is there are publicly accessible functions Create, Exec, Dial and Scp. podman will have a new global flag --ssh` that will allow users to choose native or golang based ssh functions. The functionality in containers/common (here) also checks if you have the necessary binaries installed
closes#1091
Signed-off-by: Charlie Doern <cdoern@redhat.com>
cni_plugin_dirs validation require directories to exist, use a
directory that is more likely to exist like /tmp instead of an
arbitrary path that won't exist on most systems
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Add a new `pod_exit_policy` field to the containers.conf's engine table.
A pod's exit policy determines the behaviour when the last container of
a pod exits.
Required-in: containers/podman/pull/13859
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Set the ip for the host.containers.internal entry in the containers /etc/hosts
file. This can be set to "none" to disable adding this entry. By default it
will automatically choose the host ip.
Also add a function to get the correct host.containers.internal ip. This
should be used by podman and buildah and then passed to the New()
function.
Ref https://github.com/containers/podman/issues/13224
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
base_hosts_file can be used to overwrite the default base host file
/etc/hosts which is used to copy hosts entries from this file into the
containers /etc/hosts file. As special value "image" can be used to copy
the entries from the image hosts file or "none" to not use a base file
at all. IF the value is empty we should use /etc/hosts as default.
Ref https://github.com/containers/podman/issues/13277
Ref https://github.com/containers/podman/issues/13748
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Slirp4netns options were changed to always default to ipv6 so it does
not need the extra setting. Update the documentation to reflect this.
see https://github.com/containers/podman/pull/13929
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Changing the value for events_logfile_max_size from 0 to 1048576. This allows
up to 10,000 events to be written to the events log file before rotation occurs.
Also adding new values to default.go
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
This will allow users to specify which volumes they want podman machine
to automatically mount into the machine. These volumes can later be used
to volume mount into containers.
Environment variables like $HOME can be used and are translated at the
time of machine start.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When we write a default(empty) config it should only add the default
stanza fields but never any actual config values.
This is important see commit 6c61942524 for the reasons.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
Docker defined --ipc=private to mean that the container's IPC Namespace
can NOT be shared with another container. While --ipc=shareable can,
which is our current default. Docker also defines "none" which means
the container runs in a IPC namespace but does NOT mount a /dev/shm.
"Host" means the container runs in the host namespace, and
container:UUID means run new container in other containers namespace.
ns:PATH means run in the namepsace designated in PATH.2
This Patch, fixes containers/common to reflect the correct default.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add a new option to the `[engine]` table in containers.conf
for specifying the maximum size of `events_logfile_path`.
Once exceeded, Podman will rotate the logfile and delete
the old one.
Also add tests to make sure we're not regressing in the future.
Signed-off-by: Niall Crowe <nicrowe@redhat.com>
Because `sdjournal` library just ignores directories which are not
accessible, `journald` log driver is set as the default for a user who
cannot access the journal. As a result, the user cannot see logs of
containers via `podman logs`.
This change verifies accessibility of journal directories without
the library.
Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
Reduce the logs for unknown keys from Warn to Debug level.
The containers.conf continuously receives new keys, and some consumers
(e.g., Podman) are updating it at runtime. Even small divergences in
the vendored versions of containers/common can let one tool run fine and
the other print warnings for each invocation. Reducing the log-level to
debug works around that problem at the cost of honest typos not being
as easy to detect as before.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
When toml writes the config file it does not use `omitempty` for numeric
values instead it requires `omitzero`. [1]
The problem is that without this change, `config.Write()` writes
```
[machine]
cpus = 0
disk_size = 0
memory = 0
```
to the user file. Because podman machine system connection add code will
do this the config file is broken afterwards. The first vm will be created
successfully but after this every other vm will be broken because the
cpu, memory and disk size are set to zero.
[1] https://github.com/BurntSushi/toml/pull/81Fixescontainers/podman#11824
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
If you use this field in rootless mode, it will blow up,
since rootless mode can not use the host user namespace.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Allow users to set the default location for the temporary files used
during image pulls and pushes.
Defaults to /var/tmp;
Overridden via "TMPDIR" environment variable.
Allow special flag "storage" to indicate the the storage should use
the tmp directory in containers/storage/tmp.
Needed to fix: https://github.com/containers/podman/issues/11107
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This field contains a list of directories which should be used to store
some helper binaries, e.g. gvproxy.
Also add a FindHelperBinary method to the config struct to get the full
path to a helper binary.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
We had a bogus setting for secrets in our default containers.conf
[secret] should have been [secrets].
Also added a test to make sure this never happens again.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently if a user puts a typo into a contianers.conf
or puts the keys in the wrong section, then tools using
container-common ignore them. This patch will print them
as warnings, so that the user has some ide.
I have tested this locally with Podman.
./bin/podman run alpine echo hi
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
WARN[0000] Failed to decode the keys ["containers.events_logger" "engine.foo"] from "/home/dwalsh/.config/containers/containers.conf".
hi
With ~/.config/containers/containers.conf
[containers]
events_logger = "file"
[engine]
foo="bar"
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Currently we have users failing to run containers within containers
or on systems without systemd support. This change will give us
better defaults on these systems.
Fixes: https://github.com/containers/common/issues/580
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
You should be able to specify --cap-add=all --cap-drop=cap_perfmon
And end up with all capabilties except cap_perfmon.
You should not be allowed to specify --cap-add all --cap-drop all
The outcome would be undefined.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Commit ebfe786429 changed the default logging driver k8s-file to
journald. The only consumer of the log-driver is Podman which I think
still needs some more time to stabilize. Vendoring containers/common
into Podman has revealed quite some warts (see
containers/podman/pull/10222) which reduced my confidence level.
To resolve the chicken-egg-problem of maturing the journald driver, I
want to only partially revert commit ebfe786429. The built-in default
remains k8s-file while the containers.conf sets it to journald. The
intention behind is to make sure that running systems are not impacted
but we can change Fedora to journald to increase coverage.
Once the confidence level is back to normal, we can change the default
to journald. Latest before RHEL9.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
We got some crashes in Fedora 34 testing.
Second part of this PR is to fix the config_test which is accitendtly
picking up a containers.conf settings from the host. This change forces
the default settings.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This eliminates the concern of log files growing infinitely and also
records all containers for posterity rather then allowing the removal
of a container to destroy the record.
Partially fixes: https://github.com/containers/podman/issues/9158
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
follow up to "capabilities: add new method BoundingSet()".
When ALL is used, limit it to the known capabilities in the bounding
set instead of ALL the known capabilities.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This reverts commit 451f5fb68b.
Journald is not yet passing Podman CI. We need to temporarily revert
the commit to unblock secrets work.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Currently when pulling/pushing images we default to the format
of the source image. When Building images we default to OCI.
Customers have asked us to allow them to force a specific image
type when pushing to a registry.
We already have a flag to building images.
This PR adds image_default_format to define the format to be used
by all tools create/building/pulling and pusing images.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This will allow users to configure the amount of parallel copies that
the container engines are allowed to do. This allows users to configure
their systems to match their available network settings.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Need to be able to getdefault container environment
based on use provided functions on httpProxy and use
the environment from the host.
This way users can modify the environment from podman
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In the containers.conf we default to true, but in code and man page
it is defaulted to false. Since Podman wants it defaulted to true
we need to change default and man page to match.
Also fixed the testing for SELinux, which would never succeed on an SELinux box.
Helps fix: https://github.com/containers/podman/pull/8844
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Users on the MAC have pointed out that they could have multiple connections
to different servers, and they asked to be able to specify the connection
name via environmnet variable rather then to always have to specify the
connection on the command line if they did not want to use the default
setting.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Set pullpolicy case-insensitive for fixing https://github.com/containers/podman/issues/7246. And replce the duplicate code in podman with c/common code.
Signed-off-by: Qi Wang <qiwan@redhat.com>
We want to make sure that the TERM envionment variable is always
set. TERM defaulted to ansi might be better, but we want to match
Docker defaults, so we will stick at xterm.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The default AppArmor profile is now prefixed with
`container-default-$VERSION`, whereas the version is now part of a new
`version` package.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
We need to normalize the capadd and capdrop functions, and
we need to return errors if the caller gives us bad input.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
We need to identify the list of containers that support KVM separation, these
containers can run with a different SELinux label, and we might be able to
make different decisions in the container engines about how to launch these
containers.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
containers/common pkg/config is for more engines then just libpod.
We want to use the 'libpod' section to configure parts of buildah. Renaming this
section to engine, makes it more obvious to users that these fields can effect other
container engines.
Certain fields are still libpod specific, so we do not change those fields.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
In NewConfig(), settings in the file whose name we're passed should
matter more than the hardwired default files, or the file named in the
CONTAINERS_CONF environment variable.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
pull_policy is the same as podman run --pull option to determin whether to pull a new image when running a container.
Accepted "always", "missing", and "never". Default value is "missing".
Signed-off-by: Qi Wang <qiwan@redhat.com>
Replace pkg/caps with pkg/capabilities (from libpod). It's also a fork
from Docker but attributes its origing with copyright notes and has a
trimmed down (and faster) API.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This is causing issues in rootless and remote mode. We should not be creating
directories on the fly.
Also stop exporting functions that are not used by Buildah and Podman.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
The Capability check handles merging of Default capabiltiies along
with user specified add and drop capabilities.
Fork docker/docker/oci/caps file to prevent a huge vendor
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Fix handling of toml files
No longer need merge, since we can specify a default conf for each toml file.
The toml code will retain the previous defaults and only use the newly specified
values.
This greatly simplifies the code.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Add configurations from libpod.conf to containers.conf.Use merge code from libpod to read and merge configurations from file.
Add unshare_linux for build linux: HomeDir should buildah not only for linux. so add unshare_linux for linux and unshare.go for other
convert bool to optinalbool:Use OptionalBool for on-disk configurations so we can distinguish field is undefined vs. user set to false.
Signed-off-by: Qi Wang <qiwan@redhat.com>
Urvashi Mohnani
Valentin Rothberg
Daniel J Walsh
Aditya R
unknowndevQwQ
Doug Rabson
Charlie Doern
Paul Holzinger
Dominique Martinet
OpenShift Merge Robot
Niall Crowe
Kir Kolyshkin
Sascha Grunert
Hironori Shiina
Valentin Rothberg
Frederic Crozat
unknowndevQwQ
Giuseppe Scrivano
Qi Wang
Jhon Honce
Nalin Dahyabhai
Sascha Grunert
dependabot-preview[bot]
Carlos Eduardo Arango Gutierrez